Data of millions of Mobikwik users is up for sale on the Darknet. This leak was first reported by an independent security researcher Rajshekhar Rajaharia. It seems this is the KYC data collected by Mobikwik because the data includes PAN number, Aadhaar, debit/credit cards, phone numbers, and other personally identifiable details that consumers share for the KYC process.
The MySQL dump of the data is around 350GB but the leak also includes photos of Aadhar cards, pan cards, selfies, etc that the company saved for the KYC. These photos are around 7.5 TB in size. The leak also includes 40 million records of digital card data and 99 million records of user data. In total, the leaked data is 8.2TB in size.
Anyone can search for the personal details of users by phone number or email address. The hacker who has access to the data is selling the whole database for 1.5Bitcon. He also promises to delete all the data after receiving the amount.
After the initial claim, a self-proclaimed hacker Elliot Alderson claimed that the breached data is as much as 8.2TB in size. He also tweeted, “Probably the largest KYC data leak in history.”
Surprising thing is that Mobikwik has denied any data breach on its servers. The company’s response is disappointing. It is blaming on to researchers while the data suggest a different story. Mobikwik should have a courage to accept mistakes and should invest in security infrastructure to make data safe. A payment company cannot just let go these serious incidents.
Indian government should also look into this serious matter and make struct rules for data leaks. Companies should disclose and cooperate in investigation..